i-worm.fo
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
I-Worm.Fog
This is Win32 email worm with backdoor and DDoS abilities. The worm itself is Win32 application (PE EXE file) about 180K of size (in UPX packed form) and about 500K being unpacked. The worm is written in Delphi.
The worm sends itself to other machines being attached to emails with AntiVirus.exe name. While spreading it uses MAPI to connect to emailer. The worm also reports to an IRC channel (worm host channel?) about infected machine and then activates backdoor and DDoS routines that allow to remote master to manipulate with infected machine and perform DoS attack on remote machines.
When infected file starts (being activated by user from infected message or from any other source) the worm displays the message box:
Explorer
i reb00t
[OK]
When OK button is pressed, the worm copies itself into Windows system directory with "AntiVirus.exe" and into Windows Fonts directory with "Times New Roman.exe" names. The latter file is then registered in system registry auto-run key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Windows = %windows font directory%\Timer New Roman.exe
To spread the worm looks in Inbox for all messages that have at least one attached file, and replies with infected message that has:
Subject: I think that you sent me a virus.. heres a cleaner
Body: I took my computer to the shop and they ran this, and told me to send it to you.. hope this helps.
Attach: AntiVirus.exe
The worm also deletes NETSTAT.EXE and REGEDIT.EXE in Windows directory. The worm as well looks for anti-virus and some other processes that are active at the moment and tries to terminate them:
APLICA32.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET32.EXE CFINET.EXE
IAMSERV.EXE IAMAPP.EXE PCFWallIcon.EXE FRW.EXE VSHWIN32.EXE
VSECOMR.EXE WEBSCANX.EXE AVCONSOL.EXE VSSTAT.EXE NAVAPW32.EXE
NAVW32.EXE _AVP32.EXE _AVPCC.EXE _AVPM.EXE AVP32.EXE
AVPCC.EXE AVPM.EXE AVP.EXE LOCKDOWN2000.EXE
ICLOAD95.EXE ICMON.EXE ICSUPP95.EXE ICLOADNT.EXE ICSUPPNT.EXE
TDS2-98.EXE TDS2-NT.EXE ZONEALARM.EXE MINILOG.EXE SAFEWEB.EXE
IFACE.EXE ANTS.EXE ANTI-TROJAN.EXE BLACKICE.EXE BLACKD.EXE
VSMON.EXE WRCTRL.EXE WRADMIN.EXE CLEANER3.EXE CLEANER.EXE
TCA.EXE MOOLIVE.EXE SPHINX.EXE
The worm contains the "copyright" text strings:
[Fist Of God]
[Remote DDoS]
[v2.7b]
Copyright @2006 i-worm.fo